CN115278680A - Mobile application attack detection method, device, equipment and storage medium - Google Patents

Mobile application attack detection method, device, equipment and storage medium Download PDF

Info

Publication number
CN115278680A
CN115278680A CN202210905882.0A CN202210905882A CN115278680A CN 115278680 A CN115278680 A CN 115278680A CN 202210905882 A CN202210905882 A CN 202210905882A CN 115278680 A CN115278680 A CN 115278680A
Authority
CN
China
Prior art keywords
attack
sample
data
evaluation index
type
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202210905882.0A
Other languages
Chinese (zh)
Other versions
CN115278680B (en
Inventor
杨珂
王合建
李达
赵丽花
彭轼
吴卓繁
袁国泉
赵新建
张颂
陈石
徐晨维
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
State Grid Digital Technology Holdings Co ltd
State Grid Blockchain Technology Beijing Co ltd
State Grid Corp of China SGCC
State Grid Jiangsu Electric Power Co Ltd
Information and Telecommunication Branch of State Grid Jiangsu Electric Power Co Ltd
Original Assignee
State Grid Digital Technology Holdings Co ltd
State Grid Blockchain Technology Beijing Co ltd
State Grid Corp of China SGCC
State Grid Jiangsu Electric Power Co Ltd
Information and Telecommunication Branch of State Grid Jiangsu Electric Power Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by State Grid Digital Technology Holdings Co ltd, State Grid Blockchain Technology Beijing Co ltd, State Grid Corp of China SGCC, State Grid Jiangsu Electric Power Co Ltd, Information and Telecommunication Branch of State Grid Jiangsu Electric Power Co Ltd filed Critical State Grid Digital Technology Holdings Co ltd
Priority to CN202210905882.0A priority Critical patent/CN115278680B/en
Publication of CN115278680A publication Critical patent/CN115278680A/en
Application granted granted Critical
Publication of CN115278680B publication Critical patent/CN115278680B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/12Detection or prevention of fraud
    • H04W12/121Wireless intrusion detection systems [WIDS]; Wireless intrusion prevention systems [WIPS]
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N3/00Computing arrangements based on biological models
    • G06N3/02Neural networks
    • G06N3/04Architecture, e.g. interconnection topology
    • G06N3/049Temporal neural networks, e.g. delay elements, oscillating neurons or pulsed inputs
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N3/00Computing arrangements based on biological models
    • G06N3/02Neural networks
    • G06N3/08Learning methods
    • G06N3/084Backpropagation, e.g. using gradient descent
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/12Detection or prevention of fraud
    • H04W12/126Anti-theft arrangements, e.g. protection against subscriber identity module [SIM] cloning
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/12Detection or prevention of fraud
    • H04W12/128Anti-malware arrangements, e.g. protection against SMS fraud or mobile malware
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/60Context-dependent security
    • H04W12/69Identity-dependent
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/60Context-dependent security
    • H04W12/69Identity-dependent
    • H04W12/71Hardware identity

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Physics & Mathematics (AREA)
  • Theoretical Computer Science (AREA)
  • Computational Linguistics (AREA)
  • General Health & Medical Sciences (AREA)
  • Biomedical Technology (AREA)
  • Biophysics (AREA)
  • Life Sciences & Earth Sciences (AREA)
  • Data Mining & Analysis (AREA)
  • Evolutionary Computation (AREA)
  • Artificial Intelligence (AREA)
  • Molecular Biology (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Mathematical Physics (AREA)
  • Software Systems (AREA)
  • Health & Medical Sciences (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

The invention provides a mobile application attack detection method, a device, equipment and a storage medium, which can acquire characteristic data of each participating link of each data connection. And then, taking all the characteristic data as sample content of the data sample, combining the unique identifications of all the participating links to be used as the identification of the data sample, and obtaining the data sample to be detected. Based on a preset similarity formula, obtaining the context similarity between the data sample to be detected at the current moment and at least one data sample to be detected before the current moment. And taking the similarity between the data sample to be detected at the current moment and the context as a sample to be verified at the current moment, inputting the sample to be verified at the current moment into the first attack behavior judgment model, and performing attack type matching. If the attack type is not matched, the sample to be verified is input into the second attack behavior judgment model, the attack behavior and the attack type are judged, the enhancement and the perfection of the monitoring sample data are realized, and the detection efficiency and the detection accuracy can be further improved.

Description

Mobile application attack detection method, device, equipment and storage medium
Technical Field
The invention relates to the technical field of network security, in particular to a mobile application attack detection method, a device, equipment and a storage medium.
Background
The safety protection of the power mobile internet service is an important component of a novel power system protection system. With the construction promotion of energy internet and digital transformation service, the electric power mobile internet service is developed at a high speed. Especially, in recent years, the demand of mobile office is explosively increased, the range of mobile application business is continuously extended, and the power interconnection business becomes an important window for the interaction between the inside and the outside of a power company. With the wide access of mobile terminals, the increasingly fuzzy network boundary and the gradual opening of service systems, the situation of mobile security protection in the power internet is more complex. The existing mobile security monitoring technology cannot fully excavate mobile malicious attack behaviors and vulnerability risks. It is difficult to perform more accurate detection on the current complicated and diversified network attacks and threats.
Disclosure of Invention
In order to solve the problems of low precision and poor safety in the prior art, the invention provides a mobile application attack detection method, a mobile application attack detection device, mobile application attack detection equipment and a storage medium, and the mobile application attack detection method, the mobile application attack detection equipment and the storage medium have the characteristics of more comprehensive detection, higher precision and the like.
According to the specific implementation manner of the invention, the mobile application attack detection method comprises the following steps:
acquiring characteristic data of each participating link of each data connection;
taking all the characteristic data as sample content of the data sample, combining unique identifications of all the participating links to be used as identifications of the data sample, and obtaining the data sample to be detected;
based on a preset similarity formula, acquiring the context similarity between a data sample to be detected at the current moment and at least one data sample to be detected before the current moment;
inputting the similarity between the data sample to be detected at the current moment and the context as a sample to be verified at the current moment into a first attack behavior judgment model for attack type matching, wherein the first attack behavior judgment model is constructed on the basis of a preset threat intelligence rule;
and if the attack type is not matched, inputting the sample to be verified into a second attack behavior judgment model, and judging the attack behavior and the attack type, wherein the second attack behavior judgment model is constructed on the basis of a deep neural network.
Further, the second attack behavior determination model includes: if the attack type is not matched, the sample to be verified is input into a second attack behavior judgment model to judge the attack behavior and the attack type, and the judgment comprises the following steps:
carrying out attack behavior detection on the sample to be verified based on the attack behavior detection model;
and detecting the attack type of the detection result of the attack behavior based on the attack type detection model.
Further, the feature data includes at least:
and (3) terminal evaluation indexes: t = { Tp; p =1,2, …, P }, T represents the terminal evaluation index, tp represents the type of the terminal evaluation index, and P represents the total number of the terminal evaluation indexes;
application of the evaluation index: a = { Aq; q =1,2, …, Q }, a denotes the application evaluation index, aq denotes the type of application evaluation index, and Q denotes the total number of application evaluation indexes;
user evaluation index: u = { Ur; r =1,2, …, R }, U represents the user evaluation index, ur represents the type of the user evaluation index, and R represents the total number of the user evaluation indexes; and
service evaluation indexes are as follows: b = { Bs; s =1,2, …, S }, B denotes the service evaluation index, bs denotes the type of the service evaluation index, and S denotes the total number of the service evaluation indexes.
Further, the combining the unique identifiers of all the participating links to serve as the identifier of the data sample includes:
and combining the MAC address of the terminal, the unique identification code of the application, the account of the user and the unique identification code of the service to be used as the identification of the data sample.
Further, the obtaining of the context similarity between the data sample to be detected at the current time and at least one data sample to be detected before the current time based on the preset similarity formula includes: based on
Figure BDA0003772391960000031
Obtaining the context Similarity, wherein Similarity represents the context Similarity and takes a value between 0 and 1,
Figure BDA0003772391960000032
respectively representing the average value of terminal evaluation indexes, the average value of application evaluation indexes, the average value of user evaluation indexes and the average value of service evaluation indexes in the data samples which are connected i times before the current time; t isp_min、Aq_min、Ur_min、Bs_minRespectively representing the minimum value of a terminal evaluation index, the minimum value of an application evaluation index, the minimum value of a user evaluation index and the minimum value of a service evaluation index in i connected data samples before the current moment; t isp_max、Aq_max、Ur_max、Bs_maxThe method comprises the steps of respectively representing the maximum value of a terminal evaluation index, the maximum value of an application evaluation index, the maximum value of a user evaluation index and the maximum value of a service evaluation index in i connected data samples before the current time, wherein i is an integer not less than 1.
Further, the construction process of the second attack behavior determination model includes:
constructing a training sample set based on the identification of the data sample, and labeling an attack type label for each training sample, wherein the attack type represented by the attack type label at least comprises DOS attack, malicious application, terminal counterfeiting, user impersonation and legitimate user malicious access;
and training the deep neural network model for judging the attack behavior and the attack type by adopting a ten-fold cross verification method based on the training sample set.
Further, the training process of the deep neural network model comprises the following steps:
sequencing the training sample set with the attack type label according to the time sequence to obtain a new training sample set;
performing word representation on the characteristics of the training samples in the new training sample set, and giving different weights to the word representation based on an attention mechanism to obtain embedded representation of each characteristic;
extracting context characteristics of the training samples after the embedded representation based on the long-time and short-time memory neural network model to obtain a characteristic sequence;
distributing different weights for the features in the obtained feature sequence to obtain the incidence relation expression of the features in the feature sequence;
splicing the incidence relation representation of the current training sample and the attack type label of the current training sample to obtain the final representation of the current training sample point;
and carrying out reverse training based on the final representation and the attack type label obtained by the classification model.
According to the specific embodiment of the invention, the mobile application attack detection device comprises:
the characteristic data acquisition module is used for acquiring the characteristic data of each participating link of each data connection;
the sample data construction module is used for taking all the characteristic data as sample content of the data sample, combining the unique identifications of all the participating links and then taking the combined unique identifications as the identification of the data sample to obtain the data sample to be detected;
the similarity determining module is used for acquiring the context similarity between the data samples to be detected at the current moment and the data samples to be detected with the preset number before the current moment based on a preset similarity formula;
the first judgment module is used for inputting the similarity between the data sample to be detected at the current moment and the context as a sample to be verified at the current moment into a first attack behavior judgment model for attack type matching, and the first attack behavior judgment model is constructed on the basis of a preset threat information rule; and
and the second judging module is used for inputting the sample to be verified into a second attack behavior judging model to judge the attack behavior and the attack type if the attack type is not matched, and the second attack behavior judging model is constructed on the basis of the deep neural network.
Further, the second determination module comprises an attack behavior detection submodule and an attack type detection submodule,
the attack behavior detection submodule is used for carrying out attack behavior detection on the sample to be verified;
the attack type detection submodule is used for detecting the attack type of the detection result of the attack behavior.
Further, the feature data acquired by the feature data acquiring module at least includes:
and (3) terminal evaluation indexes: t = { Tp; p =1,2, …, P }, where T denotes the terminal evaluation index, tp denotes a type of the terminal evaluation index, and P denotes a total number of the terminal evaluation indexes;
application of the evaluation index: a = { Aq; q =1,2, …, Q }, a denotes the application evaluation index, aq denotes the type of application evaluation index, and Q denotes the total number of application evaluation indexes;
user evaluation index: u = { Ur; r =1,2, …, R }, U represents the user evaluation index, ur represents the type of the user evaluation index, and R represents the total number of the user evaluation indexes; and
service evaluation indexes are as follows: b = { Bs; s =1,2, …, S }, B denotes the service evaluation index, bs denotes the type of the service evaluation index, and S denotes the total number of the service evaluation indexes.
Further, the sample data construction module combines the MAC address of the terminal, the unique identification code of the application, the account of the user, and the unique identification code of the service to be used as the identification of the data sample.
Further, the similarity determination module is based on
Figure BDA0003772391960000051
Obtaining the context Similarity, wherein Similarity represents the context Similarity and takes a value between 0 and 1,
Figure BDA0003772391960000052
respectively representing the average value of terminal evaluation indexes, the average value of application evaluation indexes, the average value of user evaluation indexes and the average value of service evaluation indexes in i connected data samples before the current moment; t is a unit ofp_min、Aq_min、Ur_min、Bs_minRespectively representing the minimum value of a terminal evaluation index, the minimum value of an application evaluation index, the minimum value of a user evaluation index and the minimum value of a service evaluation index in i connected data samples before the current moment; t isp_max、Aq_max、Ur_max、Bs_maxThe maximum value of the terminal evaluation index, the maximum value of the application evaluation index, the maximum value of the user evaluation index and the maximum value of the service evaluation index in the data samples which are connected i times before the current moment are respectively represented, wherein i is an integer not less than 1.
Further, the building process of the second judgment module comprises the following steps:
constructing a training sample set based on the identification of the data sample, and labeling an attack type label for each training sample, wherein the attack type represented by the attack type label at least comprises DOS attack, malicious application, terminal counterfeiting, user impersonation and malicious access of a legal user;
and training the deep neural network model for judging the attack behavior and the attack type by adopting a ten-fold cross verification method based on the training sample set.
Further, the training process of the deep neural network model comprises the following steps:
sequencing the training sample set with the attack type label according to the time sequence to obtain a new training sample set;
performing word representation on the characteristics of the training samples in the new training sample set, and giving different weights to the word representation based on an attention mechanism to obtain embedded representation of each characteristic;
extracting context characteristics of the training sample after the embedded representation based on the long-time and short-time memory neural network model to obtain a characteristic sequence;
distributing different weights for the features in the obtained feature sequence to obtain the incidence relation expression of the features in the feature sequence;
splicing the incidence relation representation of the current training sample and the attack type label of the current training sample to obtain the final representation of the current training sample point;
and performing reverse training on the attack type label obtained based on the final representation and the classification model.
According to an embodiment of the present invention, there is provided an apparatus, including: a memory and a processor;
the memory is used for storing programs;
the processor is configured to execute the program to implement the steps of the mobile application attack detection method.
According to a specific embodiment of the present invention, there is provided a storage medium having a computer program stored thereon, wherein the computer program is configured to implement the steps of the mobile application attack detection method as described above when executed by a processor.
The mobile application attack detection method provided by the invention can acquire the characteristic data of each participating link of each data connection. And then, taking all the characteristic data as sample content of the data sample, combining the unique identifications of all the participating links and then taking the combined unique identifications as the identifications of the data sample to obtain the data sample to be detected. Based on a preset similarity formula, obtaining the context similarity between the data sample to be detected at the current moment and at least one data sample to be detected before the current moment. And inputting the similarity between the data sample to be detected at the current moment and the context as a sample to be verified at the current moment into a first attack behavior judgment model for attack type matching, wherein the first attack behavior judgment model is constructed on the basis of a preset threat information rule. And if the attack type is not matched, inputting the sample to be verified into a second attack behavior judgment model, judging the attack behavior and the attack type, and constructing the second attack behavior judgment model based on the deep neural network. According to the mobile application detection method, data association of all dimensions is achieved by constructing unique identifiers for accessing combinations of all participants, context association information on a time dimension is fully mined, enhancement and perfection of monitoring sample data are achieved, an attack detection model based on threat intelligence rules is combined with an attack detection model based on a neural network, detection efficiency can be further improved, and detection accuracy is improved.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to the provided drawings without creative efforts.
FIG. 1 is a flow diagram of a mobile application attack detection method provided in accordance with an example embodiment;
FIG. 2 is a flow diagram of a construction of a neural network model provided in accordance with an exemplary embodiment;
FIG. 3 is a flow diagram of model training provided in accordance with an exemplary embodiment;
FIG. 4 is a block diagram of a mobile application attack detection apparatus provided in accordance with an exemplary embodiment;
FIG. 5 is a block diagram of an apparatus provided in accordance with an exemplary embodiment.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be obtained by a person skilled in the art without making any creative effort based on the embodiments in the present invention, belong to the protection scope of the present invention. Referring to fig. 1, an embodiment of the present invention provides a mobile application attack detection method, which may include the following steps:
101. and acquiring characteristic data of each participating link of each data connection.
Taking a TCP connection with one access to an application as an example, each link participating in the connection at least includes a terminal, an application, a user, and a service accessed by the user. The characteristic data can comprise evaluation indexes of each link, wherein the terminal evaluation indexes are represented by T and comprise MAC addresses, IP addresses, whether power special terminals, equipment manufacturers and models, mobile equipment identity codes IMEI, network types and the like, and the evaluation indexes are marked as T = { Tp; p =1,2, …, P }, tp represents the type of the terminal evaluation index, and P represents the total number of the terminal evaluation indexes. The application evaluation index is represented by A, and comprises an application unique identification code, whether the power is a special application or not, an application identifier, a release channel, a version number, a user range and the like, and is marked as A = { Aq; q =1,2, …, Q }, aq denotes the type of the application evaluation index, and Q denotes the total number of application evaluation indexes. The user evaluation index is represented by U, and comprises a user account, user login times, a user access place, access time, an access object, whether the user access place is a common terminal, a network IP used for access, access duration, access frequency, access context, access flow and the like, and is marked as U = { Ur; r =1,2, …, R }, ur denotes the type of user evaluation index, and R denotes the total number of user evaluation indexes. The service evaluation index is represented by B, comprises a service unique identification code, total service access flow, total access user quantity, total access IP quantity, total access equipment quantity, abnormal total access quantity and the like, and is marked as B = { Bs; s =1,2, …, S }, bs represents the type of the service evaluation index, and S represents the total number of the service evaluation indexes.
102. And taking all the characteristic data as sample content of the data sample, combining the unique identifications of all the participating links to be used as the identification of the data sample, and obtaining the data sample to be detected.
The data of all links are efficiently and accurately fused through the unified identification, and a power mobile internet service cooperative monitoring sample database is further formed. Meanwhile, threat intelligence data is collected and analyzed, and a threat intelligence sample database is constructed. Wherein the association of the terminal with the application: associated with the application unique identification code by a terminal identification (MAC address). Association of applications with services: the unique identification code is associated with the service unique identification code by applying the unique identification code. Association of applications with services: the unique identification code is associated with the service unique identification code by applying the unique identification code. All the data of the links of the terminal, the application, the user and the business are associated through the association relationship, and a data unified identifier is established: the method comprises the steps of MAC address, application unique identification code, user account and service unique identification code, and the MAC address, the application unique identification code, the user account and the service unique identification code are used as unique identification of a data sample to be detected.
103. Based on a preset similarity formula, obtaining the context similarity between the data sample to be detected at the current moment and at least one data sample to be detected before the current moment.
In the actual user access behavior, different TCP connections are not independent from each other, and especially, a plurality of TCP connections which are nearest and adjacent have closer relation, so that a feature context similarity is added to each data sample to be detected based on a preset similarity formula, and the value is between the intervals [0,1 ].
104. And inputting the similarity between the data sample to be detected at the current moment and the context as a sample to be verified at the current moment into a first attack behavior judgment model for attack type matching, wherein the first attack behavior judgment model is constructed on the basis of a preset threat information rule.
A sample to be verified S = { data uniform identification; monitoring indexes by a terminal; applying the monitoring index; monitoring indexes by a user; applying the monitoring index; context similarity, aiming at network security threats such as vulnerabilities, attack IP, malicious applications, attack tools and the like, a mobile internet service threat intelligence sample database is constructed based on threat intelligence extraction and attack path and attack tool cooperative relationship analysis of various types of attacks, and threat intelligence samples can comprise attack types, vulnerability characteristics, attack IP characteristics, attack tool characteristics, attack path characteristics and attack tool cooperative relationship. And aiming at each attack type, designing a corresponding judgment rule on the basis of the threat intelligence sample library, and constructing an attack behavior judgment model based on the threat intelligence rule. And (4) judging threat information rules aiming at each attack type, and if a certain rule is matched, judging that the sample is the type of attack. Regarding the construction of the first attack behavior decision model based on the threat intelligence rule, those skilled in the art can adopt the existing threat intelligence rule to construct, and the present invention is not described herein again.
105. And if the attack type is not matched, inputting the sample to be verified into a second attack behavior judgment model, judging the attack behavior and the attack type, and constructing the second attack behavior judgment model based on the deep neural network.
And when the first attack behavior determination model does not detect the attack type, inputting the sample to be verified into a second attack behavior determination model constructed on the basis of the deep neural network to determine the attack type. The mobile application attack detection method realizes the association of data of each link by constructing the unified data identification, fully excavates context association information of a data sample in a time dimension by calculating a context similarity index, and realizes the enhancement and the improvement of monitoring sample data. And then, the judgment of the attack behavior and the attack type is carried out by combining two attack behavior judgment models of different types, so that the detection efficiency and the detection accuracy can be further improved.
In some embodiments of the invention, the second attack behavior determination model may include: if the attack type is not matched, the sample to be verified is input into a second attack behavior judgment model, and the judgment of the attack behavior and the attack type is performed, which may include:
and carrying out attack behavior detection on the sample to be verified based on the attack behavior detection model.
And detecting the attack type of the detection result of the attack behavior based on the attack type detection model.
Specifically, attack detection can be completed in two stages: the method comprises the steps of firstly detecting whether the attack behavior is an attack behavior or not, secondly detecting whether the attack behavior is a certain type of attack behavior or not, respectively training to obtain an attack behavior detection model and each attack type detection model, further carrying out fusion training, realizing double detection and improving the detection accuracy. In the actual use process, when the detection result of the power mobile internet service abnormity detection model is abnormal, the attack behavior detection and various types of attack detection models can be executed in parallel, and the attack detection speed is increased.
As a feasible implementation manner of the above embodiment, based on a preset similarity formula, obtaining context similarity between a data sample to be detected at a current time and at least one data sample to be detected before the current time includes: based on
Figure BDA0003772391960000101
Obtaining the context Similarity, wherein Similarity represents the context Similarity and takes a value between 0 and 1,
Figure BDA0003772391960000102
respectively representing the average value of terminal evaluation indexes, the average value of application evaluation indexes, the average value of user evaluation indexes and the average value of service evaluation indexes in the data samples which are connected i times before the current time; t isp_min、Aq_min、Ur_min、Bs_minRespectively representing the minimum value of a terminal evaluation index, the minimum value of an application evaluation index, the minimum value of a user evaluation index and the minimum value of a service evaluation index in i connected data samples before the current moment; t isp_max、Aq_max、Ur_max、Bs_maxRespectively representing the maximum value of a terminal evaluation index, the maximum value of an application evaluation index, the maximum value of a user evaluation index and the maximum value of a service evaluation index in i connected data samples before the current time, wherein i is a whole number not less than 1And (4) counting. When the calculation is performed, the character type index can be converted into numerical data through a conversion rule, and the calculation can be performed based on the numerical value. If the user account contains character data, the character data can be converted into corresponding binary values and then calculated, and the conversion rule is not limited in the present invention.
Referring to fig. 2, the second attack behavior determination model is constructed by:
201. and constructing a training sample set based on the identification of the data sample, and labeling an attack type label for each training sample, wherein the attack type represented by the attack type label at least comprises DOS attack, malicious application, terminal counterfeiting, user impersonation and malicious access of a legal user.
203. And training the deep neural network model for judging the attack behavior and the attack type by adopting a ten-fold cross verification method based on the training sample set.
Specifically, a training sample set based on the identification of the data sample is constructed, an attack type label is marked for each sample, if no attack exists, the label is 0, the DOS attack label is 1, the malicious application label is 2, the terminal counterfeit label is 3, the user counterfeit label is 4, the malicious access label of the legal user is 5, and the like. And then, training an attack behavior judgment model based on a deep learning algorithm by adopting a ten-fold cross validation method. The ten-fold cross-validation method is to divide the sample in the sample data set into ten parts, take 9 parts as training data and 1 part as test data in turn, and perform the test. Each trial will yield a corresponding accuracy (or error) rate. The average of the accuracy (or error rate) of the 10 results is used as an estimate of the accuracy of the algorithm.
The deep neural network model can be composed of an input layer, a word embedding layer, a two-way long-and-short-time memory layer, a presentation layer and a classification layer which are sequentially arranged, and the training process of the deep neural network model shown in the reference figure 3 can comprise the following steps:
301. and sequencing the training sample set with the attack type label according to the time sequence to obtain a new training sample set.
Tagging attack type in sample database at input layerThe records are numbered according to the time sequence to obtain a training sample set Dt={S1,S2,...,SMIn which D istRepresenting a sample set collected by a sample database at the time t, wherein M represents the total number of samples; s. themRepresents the mth sample in the database, and is M ∈ {1,2, …, M }, S ∈m={F0,m,F1,m,…,FN,mIn which FnRepresents the nth feature in the sample m, and N belongs to the field of 1,2, …, N, wherein N represents the total number of features in each sample.
302. And performing word representation on the features of the training samples in the new training sample set, and giving different weights to the word representation based on an attention mechanism to obtain embedded representation of each feature.
At the word embedding layer, for the m-th sample S of the inputm={F0,m,F1,m,…,FN,mThe nth feature F inn,mObtaining a word representation of the feature via a word embedding layer
Figure BDA0003772391960000121
The Word embedding method may be Word2Vec, etc. An auto-attention mechanism is employed such that different features have different weights according to importance, the output of which is an embedded representation of each feature of the current sample:
Figure BDA0003772391960000122
303. and extracting the context characteristics of the training sample after the embedded representation based on the long-time and short-time memory neural network model to obtain a characteristic sequence.
Constructing a bidirectional long-short time memory neural network model in a bidirectional long-short time memory layer, extracting sample context characteristics, and obtaining an output sequence:
hm={[hl1,hrN]m,[hl2,hr(N-1)]m,...,[hlN,hr1]m}={h1,m,h2,m,…,hN,m}
wherein h isn,m=[hln,hr(N+1-n)]m,n∈{1,2,…,N},hlnRepresents the output of the forward long-short-term memory network model, hr(N+1-n)And representing the output of the forward long-short-time memory network model.
304. And distributing different weights to the features in the obtained feature sequence to obtain the incidence relation expression of the features in the feature sequence.
Will output hm={h1,m,h2,m,…,hN,mThe characteristics in the samples are assigned with different weights to obtain the incidence relation expression of the N characteristics of the current sample:
Figure BDA0003772391960000123
305. and splicing the incidence relation representation of the current training sample and the attack type label of the current training sample to obtain the final representation of the current training sample point.
Representing the current sample at the representation layer
Figure BDA0003772391960000124
And label l of the current samplemStitching yields the final representation of the current sample:
Figure BDA0003772391960000125
306. and performing reverse training on the attack type labels obtained based on the final representation and the classification model.
Labels l of records according to manual labelling at the classification levelmLabels derived from classification models
Figure BDA0003772391960000126
And comparing, and reversely training the neural network model based on the difference between the two. Here can be a two-class problem: not an attack behavior (labeled 0) but an attack behavior (labeled 1), the classification model may be an SVM or a random forest. It can also be a multi-classification problem: not attack behavior (labeled 0), some attack type (labeled 1,2, …), classification model may be random forest or K-nearest neighbor, etc.
When the difficulty of realizing multi-classification is high and the accuracy of each classification is difficult to ensure to be high, a two-classification training sample set can be constructed for each attack type, namely the attack is not the attack of the type (marked as 0) but the attack of the type (marked as 1). And marking whether each sample is a label of the type of attack or not, training an attack detection model aiming at the attack type, and detecting whether the access behavior of any equipment and user belongs to the anomaly or not.
Referring to fig. 4, based on the same design concept, an embodiment of the present invention further provides a mobile application attack detection apparatus, which can perform the steps of the mobile application attack detection apparatus provided in the foregoing embodiment, and the apparatus may include:
a characteristic data obtaining module 401, configured to obtain characteristic data of each participating link of each data connection;
the sample data construction module 402 is configured to use all feature data as sample content of a data sample, and combine unique identifiers of all participating links to obtain an identifier of the data sample, so as to obtain a to-be-detected data sample;
the similarity determining module 403 is configured to obtain context similarity between the data sample to be detected at the current time and the data samples to be detected in the preset number before the current time based on a preset similarity formula;
the first determination module 404 is configured to input the to-be-detected data sample at the current time and the context similarity as a to-be-verified sample at the current time into a first attack behavior determination model for attack type matching, where the first attack behavior determination model is constructed based on a preset threat information rule; and
and a second determination module 405, configured to, if the attack type is not matched, input the sample to be verified to a second attack behavior determination model to determine the attack behavior and the attack type, where the second attack behavior determination model is constructed based on a deep neural network.
The mobile application attack detection device has the same beneficial effects as the mobile application attack detection method, and the invention is not repeated herein.
Further, the second determination module comprises an attack behavior detection submodule and an attack type detection submodule, wherein the attack behavior detection submodule and the attack type detection submodule are connected with the first determination module
The attack behavior detection submodule is used for carrying out attack behavior detection on a sample to be verified;
and the attack type detection submodule is used for detecting the attack type of the detection result of the attack behavior.
Further, the feature data acquired by the feature data acquisition module at least includes:
and (3) terminal evaluation indexes: t = { Tp; p =1,2, …, P }, T represents the terminal evaluation index, tp represents the type of the terminal evaluation index, and P represents the total number of the terminal evaluation indexes;
application of the evaluation index: a = { Aq; q =1,2, …, Q }, a denotes the application evaluation index, aq denotes the type of application evaluation index, and Q denotes the total number of application evaluation indexes;
user evaluation index: u = { Ur; r =1,2, …, R }, where U denotes the user evaluation index, ur denotes a type of the user evaluation index, and R denotes a total number of the user evaluation indexes; and
service evaluation indexes are as follows: b = { Bs; s =1,2, …, S }, B denotes the service evaluation index, bs denotes the type of the service evaluation index, and S denotes the total number of the service evaluation indexes.
Further, the sample data construction module combines the MAC address of the terminal, the unique identification code of the application, the account of the user and the unique identification code of the service to be used as the identification of the data sample.
Further, the similarity determination module is based on
Figure BDA0003772391960000141
Obtaining context Similarity, wherein Similarity represents the context Similarity, the value is between 0 and 1,
Figure BDA0003772391960000142
respectively represent i pieces before the current timeThe average value of terminal evaluation indexes, the average value of application evaluation indexes, the average value of user evaluation indexes and the average value of service evaluation indexes in the connected data samples; t isp_min、Aq_min、Ur_min、Bs_minRespectively representing the minimum value of a terminal evaluation index, the minimum value of an application evaluation index, the minimum value of a user evaluation index and the minimum value of a service evaluation index in i connected data samples before the current moment; t isp_max、Aq_max、Ur_max、Bs_maxThe maximum value of the terminal evaluation index, the maximum value of the application evaluation index, the maximum value of the user evaluation index and the maximum value of the service evaluation index in the data samples which are connected i times before the current moment are respectively represented, wherein i is an integer not less than 1.
Further, the construction process of the second judgment module comprises the following steps:
constructing a training sample set based on the identification of the data sample, and labeling an attack type label for each training sample, wherein the attack type represented by the attack type label at least comprises DOS attack, malicious application, terminal counterfeiting, user impersonation and malicious access of a legal user;
and training the deep neural network model for judging the attack behavior and the attack type by adopting a ten-fold cross verification method based on the training sample set.
Further, the training process of the deep neural network model comprises the following steps:
sequencing the training sample set with the attack type label according to the time sequence to obtain a new training sample set;
performing word representation on the characteristics of the training samples in the new training sample set, and giving different weights to the word representation based on an attention mechanism to obtain embedded representation of each characteristic;
extracting context characteristics of the training sample after the embedded representation based on the long-time and short-time memory neural network model to obtain a characteristic sequence;
distributing different weights for the features in the obtained feature sequence to obtain the incidence relation expression of the features in the feature sequence;
splicing the incidence relation representation of the current training sample and the attack type label of the current training sample to obtain the final representation of the current training sample point;
and carrying out reverse training based on the attack type label obtained by the final representation and classification model.
As shown in fig. 5, an embodiment of the present invention further provides an apparatus, which may include: a memory 501 and a processor 502. The memory 501 stores programs. The processor 502 is configured to execute the program to implement the steps of the mobile application attack detection method according to the above embodiment.
Embodiments of the present invention also provide a storage medium having stored thereon a computer program which, when executed by a processor, implements the steps of the mobile application attack detection method as described above.
While, for purposes of simplicity of explanation, the foregoing method embodiments have been described as a series of acts or combination of acts, it will be appreciated by those skilled in the art that the present invention is not limited by the illustrated ordering of acts, as some steps may occur in other orders or concurrently with other steps in accordance with the invention. Further, those skilled in the art should also appreciate that the embodiments described in the specification are preferred embodiments and that the acts and modules referred to are not necessarily required by the invention.
It should be noted that, in the present specification, the embodiments are all described in a progressive manner, each embodiment focuses on differences from other embodiments, and the same and similar parts among the embodiments may be referred to each other. For the device-like embodiment, since it is basically similar to the method embodiment, the description is simple, and for the relevant points, reference may be made to the partial description of the method embodiment.
The steps in the method of each embodiment of the present invention may be sequentially adjusted, combined, and deleted according to actual needs, and the technical features described in each embodiment may be replaced or combined.
The modules and sub-modules in the device and the terminal of the embodiments of the present invention can be combined, divided and deleted according to actual needs.
In the embodiments provided in the present invention, it should be understood that the disclosed terminal, apparatus and method may be implemented in other ways. For example, the above-described terminal embodiments are merely illustrative, and for example, the division of a module or a sub-module is only one logical division, and there may be other divisions when the terminal is actually implemented, for example, a plurality of sub-modules or modules may be combined or integrated into another module, or some features may be omitted or not executed. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection through some interfaces, devices or modules, and may be in an electrical, mechanical or other form.
The modules or sub-modules described as separate parts may or may not be physically separate, and parts that are modules or sub-modules may or may not be physical modules or sub-modules, may be located in one place, or may be distributed over a plurality of network modules or sub-modules. Some or all of the modules or sub-modules can be selected according to actual needs to achieve the purpose of the solution of the present embodiment.
In addition, each functional module or sub-module in each embodiment of the present invention may be integrated into one processing module, or each module or sub-module may exist alone physically, or two or more modules or sub-modules may be integrated into one module. The integrated modules or sub-modules can be implemented in the form of hardware, and can also be implemented in the form of software functional modules or sub-modules.
Those of skill would further appreciate that the various illustrative elements and algorithm steps described in connection with the embodiments disclosed herein may be implemented as electronic hardware, computer software, or combinations of both, and that the various illustrative components and steps have been described above generally in terms of their functionality in order to clearly illustrate this interchangeability of hardware and software. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the technical solution. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present invention.
The steps of a method or algorithm described in connection with the embodiments disclosed herein may be embodied directly in hardware, in a software unit executed by a processor, or in a combination of the two. The software cells may reside in Random Access Memory (RAM), memory, read Only Memory (ROM), electrically programmable ROM, electrically erasable programmable ROM, registers, hard disk, a removable disk, a CD-ROM, or any other form of storage medium known in the art.
Finally, it should also be noted that, herein, relational terms such as first and second, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising a … …" does not exclude the presence of another identical element in a process, method, article, or apparatus that comprises the element.
The previous description of the disclosed embodiments is provided to enable any person skilled in the art to make or use the present invention. Various modifications to these embodiments will be readily apparent to those skilled in the art, and the generic principles defined herein may be applied to other embodiments without departing from the spirit or scope of the invention. Thus, the present invention is not intended to be limited to the embodiments shown herein but is to be accorded the widest scope consistent with the principles and novel features disclosed herein.

Claims (10)

1. A mobile application attack detection method is characterized by comprising the following steps:
acquiring characteristic data of each participating link of each data connection;
taking all the characteristic data as sample content of the data sample, combining unique identifications of all the participating links to be used as identifications of the data sample, and obtaining the data sample to be detected;
based on a preset similarity formula, obtaining the context similarity between a data sample to be detected at the current moment and at least one data sample to be detected before the current moment;
inputting the similarity between the data sample to be detected at the current moment and the context as a sample to be verified at the current moment into a first attack behavior judgment model for attack type matching, wherein the first attack behavior judgment model is constructed on the basis of a preset threat intelligence rule;
and if the attack type is not matched, inputting the sample to be verified into a second attack behavior judgment model, and judging the attack behavior and the attack type, wherein the second attack behavior judgment model is constructed on the basis of a deep neural network.
2. The method of claim 1, wherein the second attack behavior determination model comprises: if the attack type is not matched, the sample to be verified is input into a second attack behavior judgment model to judge the attack behavior and the attack type, and the judgment comprises the following steps:
performing attack behavior detection on the sample to be verified based on the attack behavior detection model;
and detecting the attack type of the detection result of the attack behavior based on the attack type detection model.
3. The method according to claim 1, characterized in that said characteristic data comprise at least:
and (3) terminal evaluation indexes: t = { Tp; p =1,2, …, P }, T represents the terminal evaluation index, tp represents the type of the terminal evaluation index, and P represents the total number of the terminal evaluation indexes;
application evaluation index: a = { Aq; q =1,2, …, Q }, a denotes the application evaluation index, aq denotes the type of application evaluation index, and Q denotes the total number of application evaluation indexes;
user evaluation index: u = { Ur; r =1,2, …, R }, U represents the user evaluation index, ur represents the type of the user evaluation index, and R represents the total number of the user evaluation indexes; and
service evaluation indexes are as follows: b = { Bs; s =1,2, …, S }, B denotes the service evaluation index, bs denotes the type of the service evaluation index, and S denotes the total number of the service evaluation indexes.
4. The method of claim 1, wherein the combining the unique identifiers of all participating links to serve as the identifier of the data sample comprises:
and combining the MAC address of the terminal, the unique identification code of the application, the account of the user and the unique identification code of the service to be used as the identification of the data sample.
5. The method according to claim 3, wherein the obtaining the context similarity between the data sample to be detected at the current time and at least one data sample to be detected before the current time based on a preset similarity formula comprises: based on
Figure FDA0003772391950000021
Obtaining the context Similarity, wherein Similarity represents the context Similarity and takes a value between 0 and 1,
Figure FDA0003772391950000022
respectively representing the average value of terminal evaluation indexes, the average value of application evaluation indexes, the average value of user evaluation indexes and the industry evaluation indexes in the data samples of i connections before the current timeAn average of the business evaluation metrics; t isp_min、Aq_min、Ur_min、Bs_minRespectively representing the minimum value of a terminal evaluation index, the minimum value of an application evaluation index, the minimum value of a user evaluation index and the minimum value of a service evaluation index in i connected data samples before the current moment; t isp_max、Aq_max、Ur_max、Bs_maxThe maximum value of the terminal evaluation index, the maximum value of the application evaluation index, the maximum value of the user evaluation index and the maximum value of the service evaluation index in the data samples which are connected i times before the current moment are respectively represented, wherein i is an integer not less than 1.
6. The method according to claim 1, wherein the second attack behavior determination model is constructed by:
constructing a training sample set based on the identification of the data sample, and labeling an attack type label for each training sample, wherein the attack type represented by the attack type label at least comprises DOS attack, malicious application, terminal counterfeiting, user impersonation and malicious access of a legal user;
and training the deep neural network model for judging the attack behavior and the attack type by adopting a ten-fold cross verification method based on the training sample set.
7. The method of claim 6, wherein the training process of the deep neural network model comprises:
sequencing the training sample set with the attack type label according to the time sequence to obtain a new training sample set;
performing word representation on the characteristics of the training samples in the new training sample set, and giving different weights to the word representation based on an attention mechanism to obtain embedded representation of each characteristic;
extracting context characteristics of the training sample after the embedded representation based on the long-time and short-time memory neural network model to obtain a characteristic sequence;
distributing different weights for the features in the obtained feature sequence to obtain the incidence relation expression of the features in the feature sequence;
splicing the incidence relation representation of the current training sample and the attack type label of the current training sample to obtain the final representation of the current training sample point;
and carrying out reverse training based on the final representation and the attack type label obtained by the classification model.
8. A mobile application attack detection apparatus, comprising:
the characteristic data acquisition module is used for acquiring the characteristic data of each participating link of each data connection;
the sample data construction module is used for taking all the characteristic data as sample content of the data sample, combining the unique identifications of all the participating links and then taking the combined unique identifications as the identification of the data sample to obtain the data sample to be detected;
the similarity determining module is used for obtaining the context similarity between the data samples to be detected at the current moment and the data samples to be detected in the preset number before the current moment based on a preset similarity formula;
the first judgment module is used for inputting the similarity between the data sample to be detected at the current moment and the context as a sample to be verified at the current moment into a first attack behavior judgment model for attack type matching, and the first attack behavior judgment model is constructed on the basis of a preset threat information rule; and
and the second judging module is used for inputting the sample to be verified into a second attack behavior judging model to judge the attack behavior and the attack type if the attack type is not matched, and the second attack behavior judging model is constructed on the basis of the deep neural network.
9. An apparatus, comprising: a memory and a processor;
the memory is used for storing programs;
the processor, configured to execute the program, implementing the steps of the mobile application attack detection method according to any one of claims 1 to 7.
10. A storage medium having stored thereon a computer program, characterized in that the computer program, when being executed by a processor, carries out the steps of the mobile application attack detection method according to any one of claims 1 to 7.
CN202210905882.0A 2022-07-29 2022-07-29 Mobile application attack detection method, device, equipment and storage medium Active CN115278680B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210905882.0A CN115278680B (en) 2022-07-29 2022-07-29 Mobile application attack detection method, device, equipment and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210905882.0A CN115278680B (en) 2022-07-29 2022-07-29 Mobile application attack detection method, device, equipment and storage medium

Publications (2)

Publication Number Publication Date
CN115278680A true CN115278680A (en) 2022-11-01
CN115278680B CN115278680B (en) 2023-04-07

Family

ID=83771948

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210905882.0A Active CN115278680B (en) 2022-07-29 2022-07-29 Mobile application attack detection method, device, equipment and storage medium

Country Status (1)

Country Link
CN (1) CN115278680B (en)

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20160219067A1 (en) * 2015-01-28 2016-07-28 Korea Internet & Security Agency Method of detecting anomalies suspected of attack, based on time series statistics
CN111586071A (en) * 2020-05-19 2020-08-25 上海飞旗网络技术股份有限公司 Encryption attack detection method and device based on recurrent neural network model
WO2021258348A1 (en) * 2020-06-24 2021-12-30 深圳市欢太科技有限公司 Abnormal flow detection method and system and computer storage medium
CN113869233A (en) * 2021-09-30 2021-12-31 湖南大学 Multi-expert anti-attack detection method based on context feature inconsistency

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114553523A (en) * 2022-02-21 2022-05-27 平安普惠企业管理有限公司 Attack detection method and device based on attack detection model, medium and equipment

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20160219067A1 (en) * 2015-01-28 2016-07-28 Korea Internet & Security Agency Method of detecting anomalies suspected of attack, based on time series statistics
CN111586071A (en) * 2020-05-19 2020-08-25 上海飞旗网络技术股份有限公司 Encryption attack detection method and device based on recurrent neural network model
WO2021258348A1 (en) * 2020-06-24 2021-12-30 深圳市欢太科技有限公司 Abnormal flow detection method and system and computer storage medium
CN113869233A (en) * 2021-09-30 2021-12-31 湖南大学 Multi-expert anti-attack detection method based on context feature inconsistency

Non-Patent Citations (3)

* Cited by examiner, † Cited by third party
Title
ABDULLAYEVA J. FARGANA: "Convolutional Neural Network-Based Automatic Diagnostic System for AL-DDoS Attacks Detection", 《INTERNATIONAL JOURNAL OF CYBER WARFARE AND TERRORISM (IJCWT)》 *
李静等: "互联网未知威胁监测及应用技术研究", 《网络安全技术与应用》 *
王兆国等: "抗混淆的Android应用相似性检测方法", 《华中科技大学学报(自然科学版)》 *

Also Published As

Publication number Publication date
CN115278680B (en) 2023-04-07

Similar Documents

Publication Publication Date Title
CN111428231B (en) Safety processing method, device and equipment based on user behaviors
CN116305168B (en) Multi-dimensional information security risk assessment method, system and storage medium
CN109831459B (en) Method, device, storage medium and terminal equipment for secure access
CN112733045B (en) User behavior analysis method and device and electronic equipment
CN112837069A (en) Block chain and big data based secure payment method and cloud platform system
CN112422574A (en) Risk account identification method, device, medium and electronic equipment
CN110162958B (en) Method, apparatus and recording medium for calculating comprehensive credit score of device
CN113706100B (en) Real-time detection and identification method and system for Internet of things terminal equipment of power distribution network
CN114168968A (en) Vulnerability mining method based on Internet of things equipment fingerprints
Gharibshah et al. RIPEx: Extracting malicious ip addresses from security forums using cross-forum learning
CN116488915A (en) Deep learning-based Web attack detection and classification recognition method and device
CN115759748A (en) Risk detection model generation method and device and risk individual identification method and device
CN113645173A (en) Malicious domain name identification method, system and equipment
CN113783852B (en) Intelligent contract Pompe fraudster detection algorithm based on neural network
WO2021248707A1 (en) Operation verification method and apparatus
CN110365625B (en) Internet of things security detection method and device and storage medium
CN117236699A (en) Network risk identification method and system based on big data analysis
CN115278680B (en) Mobile application attack detection method, device, equipment and storage medium
CN111784360A (en) Anti-fraud prediction method and system based on network link backtracking
CN116827656A (en) Network information safety protection system and method thereof
CN116467720A (en) Intelligent contract vulnerability detection method based on graph neural network and electronic equipment
CN109995605B (en) Flow identification method and device and computer readable storage medium
CN115186759A (en) Model training method and user classification method
CN113553571B (en) Method and device for measuring reliability of terminal equipment
CN114065225A (en) Service vulnerability protection method and system

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant